Prioritizing risk under a deluge of vulnerabilities is stretching IT security professionals too thin, while the C-suite fails to provide adequate support, according to a Deloitte report.
Getting cybersecurity right is a difficult undertaking for enterprises, as high-profile data breaches underlie either a false sense of security or inadequate protections applied to systems in a given organization. With new norms such as BYOD, and the rise in popularity of applications written in Node.js that have extensive dependencies on third-party packages, the potential attack surface for IT security professional to cover has expanded significantly.
The 2019 Deloitte Future of Cyber Survey, which counts among its respondents 500 C-level executives who oversee cybersecurity at companies with $500 million or more in annual revenue, finds three primary challenges that businesses face in implementing strong cybersecurity measures:
SEE: SMB security pack: Policies to protect your business (Tech Pro Research)
1. Inability to better prioritize cybersecurity risk across the enterprise
Some 30% of respondents cited difficulties prioritizing potential risks across their organization. Given the volume of software vulnerabilities that are discovered, this is relatively unsurprising, particularly as the increase in officially-designated vulnerabilities is coinciding with a decreased understanding of them—and the security landscape in general. While wide-ranging, highly-publicized vulnerabilities like Spectre and Meltdown require patching, they are not particularly actively exploited, and exploits of those vulnerabilities are moderately challenging to pull off.
2. Lack of management alignment on priorities
Corralling the C-suite long enough to focus intently on a topic that does not bring in revenue can be a challenging task, as indicated by 28% of respondents claiming a lack of management alignment on priorities. Doing so comes at a great risk for companies, particularly as 2018 was the second most active year on record for data breaches, according to a Risk Based Security report.
3. Lack of adequate funding
Some 26% of respondents indicated a lack of adequate funding for cybersecurity measures, a problem that is pervasive among the C-suite, as IT departments at large are derided as money pits by those who lack understanding of the vital role that IT professionals play in their organization, or in the global digital economy. A Gartner report from November 2018 cited eight more reasons CEOs will be fired over cybersecurity breaches. If an appeal cannot be made on the merits of cybersecurity, perhaps an appeal toward self-preservation can shake free some funds from the threadbare pockets of stingy executives.
This is an IT problem, too
There is a mismatch in how IT approaches security as well, as the survey finds that 85% of respondents are reporting they use using Agile or DevOps for application development, but ranking DevSecOps lowest at 11% among cyber defense priorities and investments.
For more on security, check out the top 3 reasons cybersecurity pros are changing jobs.